Twitter Worm Pushing Rogue Antivirus Scam

Thousands of Twitter users are believed to have been hit with malicious
links tied to a rogue antivirus scam circulating the microblog service.
The scam is spreading through malicious links abusing the goo.gl
URL shortening service. According
to Kaspersky Lab, the malicious links redirect users to different domains
with an "m28sx.html" page. That HTML page redirects users to a static
domain with a Ukrainian top-level domain. From there, blogged Kaspersky Lab
Senior Malware Researcher Nicolas Brulez, the domain redirects the user to
an IP address pushing
fake antivirus.

"Once you are on this website," Brulez blogged, "you will get
[a] warning that your machine is running suspicious applications and you
are encouraged to scan it. ... The user is invited to remove all the threats from
their computer, and will download a fake Anti Virus [sic] application
called 'Security Shield.'"

Del Harvey, director of Trust and Safety for Twitter, tweeted during the day
that the company was working to remove the malicious links and reset passwords
on compromised accounts.
"What isn't yet clear is how the Twitter users found their accounts
compromised in this way," blogged Graham Cluley, senior technology
consultant at Sophos. "The natural suspicion would be that their usernames
and passwords have been stolen. It certainly would be a sensible precaution for
users who have found their Twitter accounts unexpectedly posting goo.gl links
to change their passwords immediately."
These kinds of attacks are hardly new to Twitter. In December,
users were targeted with shortened links that redirected them to the
compromised site of a French furniture company before passing them on to other
domains. In that case, the malicious URLs pointed to a copy of the Neosploit
attack toolkit.